Automated Malware Tools At Heart of Data Extraction

Description

Most attention goes to keeping hackers out. But once they’re inside, how do they extract data? Research of 200 data breaches in 24 countries examines the ways data is leaving. Read the full article. [CSO]

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018

{"result": {"redhat": [{"lastseen": "2018-08-14T17:58:01", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "kernel", "packageFilename": "kernel-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "kernel", "packageFilename": "kernel-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "kernel", "packageFilename": "kernel-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "src", "packageName": "kernel", "packageFilename": "kernel-2.6.32-754.3.5.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "kernel", "packageFilename": "kernel-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "noarch", "packageName": "kernel-abi-whitelists", "packageFilename": "kernel-abi-whitelists-2.6.32-754.3.5.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "kernel-bootwrapper", "packageFilename": "kernel-bootwrapper-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "kernel-debug", "packageFilename": "kernel-debug-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "kernel-debug", "packageFilename": "kernel-debug-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "kernel-debug", "packageFilename": "kernel-debug-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "kernel-debug", "packageFilename": "kernel-debug-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "kernel-debuginfo-common-i686", "packageFilename": "kernel-debuginfo-common-i686-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "kernel-debuginfo-common-ppc64", "packageFilename": "kernel-debuginfo-common-ppc64-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "kernel-debuginfo-common-s390x", "packageFilename": "kernel-debuginfo-common-s390x-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "kernel-debuginfo-common-x86_64", "packageFilename": "kernel-debuginfo-common-x86_64-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "kernel-devel", "packageFilename": "kernel-devel-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "kernel-devel", "packageFilename": "kernel-devel-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "kernel-devel", "packageFilename": "kernel-devel-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "kernel-devel", "packageFilename": "kernel-devel-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "noarch", "packageName": "kernel-doc", "packageFilename": "kernel-doc-2.6.32-754.3.5.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "noarch", "packageName": "kernel-firmware", "packageFilename": "kernel-firmware-2.6.32-754.3.5.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "kernel-headers", "packageFilename": "kernel-headers-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "kernel-headers", "packageFilename": "kernel-headers-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "kernel-headers", "packageFilename": "kernel-headers-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "kernel-headers", "packageFilename": "kernel-headers-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "kernel-kdump", "packageFilename": "kernel-kdump-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "kernel-kdump-debuginfo", "packageFilename": "kernel-kdump-debuginfo-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "kernel-kdump-devel", "packageFilename": "kernel-kdump-devel-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "perf", "packageFilename": "perf-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "perf", "packageFilename": "perf-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "perf", "packageFilename": "perf-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "perf", "packageFilename": "perf-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "perf-debuginfo", "packageFilename": "perf-debuginfo-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "perf-debuginfo", "packageFilename": "perf-debuginfo-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "perf-debuginfo", "packageFilename": "perf-debuginfo-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "perf-debuginfo", "packageFilename": "perf-debuginfo-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "python-perf", "packageFilename": "python-perf-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "python-perf", "packageFilename": "python-perf-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "python-perf", "packageFilename": "python-perf-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "python-perf", "packageFilename": "python-perf-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "i686", "packageName": "python-perf-debuginfo", "packageFilename": "python-perf-debuginfo-2.6.32-754.3.5.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "ppc64", "packageName": "python-perf-debuginfo", "packageFilename": "python-perf-debuginfo-2.6.32-754.3.5.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "s390x", "packageName": "python-perf-debuginfo", "packageFilename": "python-perf-debuginfo-2.6.32-754.3.5.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-754.3.5.el6", "arch": "x86_64", "packageName": "python-perf-debuginfo", "packageFilename": "python-perf-debuginfo-2.6.32-754.3.5.el6.x86_64.rpm", "operator": "lt"}], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646)\n\n* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3693)\n\n* kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901)\n\n* kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861)\n\n* kernel: Use-after-free in snd_seq_ioctl_create_port() (CVE-2017-15265)\n\n* kernel: race condition in snd_seq_write() may lead to UAF or OOB-access (CVE-2018-7566)\n\n* kernel: Race condition in sound system can lead to denial of service (CVE-2018-1000004)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646; Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) for reporting CVE-2018-3693; and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.\n\nBug Fix(es):\n\n* The Least recently used (LRU) operations are batched by caching pages in per-cpu page vectors to prevent contention of the heavily used lru_lock spinlock. The page vectors can hold even the compound pages. Previously, the page vectors were cleared only if they were full. Subsequently, the amount of memory held in page vectors, which is not reclaimable, was sometimes too high. Consequently the page reclamation started the Out of Memory (OOM) killing processes. With this update, the underlying source code has been fixed to clear LRU page vectors each time when a compound page is added to them. As a result, OOM killing processes due to high amounts of memory held in page vectors no longer occur. (BZ#1575819)", "reporter": "RedHat", "published": "2018-08-14T21:07:28", "type": "redhat", "title": "(RHSA-2018:2390) Important: kernel security and bug fix update", "enchantments": {"score": {"modified": "2018-08-14T17:58:01", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-0861", "CVE-2017-15265", "CVE-2018-1000004", "CVE-2018-10901", "CVE-2018-3620", "CVE-2018-3646", "CVE-2018-3693", "CVE-2018-7566"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-08-14T21:18:43", "id": "RHSA-2018:2390", "href": "https://access.redhat.com/errata/RHSA-2018:2390", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-14T17:58:27", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel", "packageFilename": "kernel-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel", "packageFilename": "kernel-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "kernel", "packageFilename": "kernel-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "src", "packageName": "kernel", "packageFilename": "kernel-3.10.0-862.11.6.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel", "packageFilename": "kernel-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "noarch", "packageName": "kernel-abi-whitelists", "packageFilename": "kernel-abi-whitelists-3.10.0-862.11.6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-bootwrapper", "packageFilename": "kernel-bootwrapper-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-bootwrapper", "packageFilename": "kernel-bootwrapper-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-debug", "packageFilename": "kernel-debug-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-debug", "packageFilename": "kernel-debug-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "kernel-debug", "packageFilename": "kernel-debug-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel-debug", "packageFilename": "kernel-debug-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-debuginfo-common-ppc64", "packageFilename": "kernel-debuginfo-common-ppc64-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-debuginfo-common-ppc64le", "packageFilename": "kernel-debuginfo-common-ppc64le-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "kernel-debuginfo-common-s390x", "packageFilename": "kernel-debuginfo-common-s390x-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel-debuginfo-common-x86_64", "packageFilename": "kernel-debuginfo-common-x86_64-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-devel", "packageFilename": "kernel-devel-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-devel", "packageFilename": "kernel-devel-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "kernel-devel", "packageFilename": "kernel-devel-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel-devel", "packageFilename": "kernel-devel-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "noarch", "packageName": "kernel-doc", "packageFilename": "kernel-doc-3.10.0-862.11.6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-headers", "packageFilename": "kernel-headers-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-headers", "packageFilename": "kernel-headers-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "kernel-headers", "packageFilename": "kernel-headers-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel-headers", "packageFilename": "kernel-headers-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "kernel-kdump", "packageFilename": "kernel-kdump-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "kernel-kdump-debuginfo", "packageFilename": "kernel-kdump-debuginfo-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "kernel-kdump-devel", "packageFilename": "kernel-kdump-devel-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-tools", "packageFilename": "kernel-tools-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-tools", "packageFilename": "kernel-tools-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel-tools", "packageFilename": "kernel-tools-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-tools-debuginfo", "packageFilename": "kernel-tools-debuginfo-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-tools-debuginfo", "packageFilename": "kernel-tools-debuginfo-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel-tools-debuginfo", "packageFilename": "kernel-tools-debuginfo-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-tools-libs", "packageFilename": "kernel-tools-libs-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-tools-libs", "packageFilename": "kernel-tools-libs-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel-tools-libs", "packageFilename": "kernel-tools-libs-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "kernel-tools-libs-devel", "packageFilename": "kernel-tools-libs-devel-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "kernel-tools-libs-devel", "packageFilename": "kernel-tools-libs-devel-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "kernel-tools-libs-devel", "packageFilename": "kernel-tools-libs-devel-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "perf", "packageFilename": "perf-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "perf", "packageFilename": "perf-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "perf", "packageFilename": "perf-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "perf", "packageFilename": "perf-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "perf-debuginfo", "packageFilename": "perf-debuginfo-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "perf-debuginfo", "packageFilename": "perf-debuginfo-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "perf-debuginfo", "packageFilename": "perf-debuginfo-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "perf-debuginfo", "packageFilename": "perf-debuginfo-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "python-perf", "packageFilename": "python-perf-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "python-perf", "packageFilename": "python-perf-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "python-perf", "packageFilename": "python-perf-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "python-perf", "packageFilename": "python-perf-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64", "packageName": "python-perf-debuginfo", "packageFilename": "python-perf-debuginfo-3.10.0-862.11.6.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "ppc64le", "packageName": "python-perf-debuginfo", "packageFilename": "python-perf-debuginfo-3.10.0-862.11.6.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "s390x", "packageName": "python-perf-debuginfo", "packageFilename": "python-perf-debuginfo-3.10.0-862.11.6.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "3.10.0-862.11.6.el7", "arch": "x86_64", "packageName": "python-perf-debuginfo", "packageFilename": "python-perf-debuginfo-3.10.0-862.11.6.el7.x86_64.rpm", "operator": "lt"}], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646)\n\n* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3693)\n\n* A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390)\n\n* kernel: crypto: privilege escalation in skcipher_recvmsg function (CVE-2017-13215)\n\n* kernel: mm: use-after-free in do_get_mempolicy function allows local DoS or other unspecified impact (CVE-2018-10675)\n\n* kernel: race condition in snd_seq_write() may lead to UAF or OOB access (CVE-2018-7566)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646; Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) for reporting CVE-2018-3693; and Juha-Matti Tilli (Aalto University, Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390.\n\nBug Fix(es):\n\nThese updated kernel packages include also numerous bug fixes. Space precludes documenting all of the bug fixes in this advisory. See the descriptions in the related Knowledge Article:\n\nhttps://access.redhat.com/articles/3527791", "reporter": "RedHat", "published": "2018-08-14T21:05:56", "type": "redhat", "title": "(RHSA-2018:2384) Important: kernel security and bug fix update", "enchantments": {"score": {"modified": "2018-08-14T17:58:27", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-13215", "CVE-2018-10675", "CVE-2018-3620", "CVE-2018-3646", "CVE-2018-3693", "CVE-2018-5390", "CVE-2018-7566"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-08-14T21:18:28", "id": "RHSA-2018:2384", "href": "https://access.redhat.com/errata/RHSA-2018:2384", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-08-14T19:13:11", "_object_types": ["robots.models.base.Bulletin", "robots.models.thn.ThnBulletin"], "references": [], "description": "[![microsoft windows update patch tuesday](https://1.bp.blogspot.com/-qwwoxa_7EJU/W3MgMLUnqBI/AAAAAAAAx2w/Vm6kHn_yEXcCGZdP9PzpzEq1AnAL0XqkQCLcBGAs/s728-e100/microsoft-windows-update.png)](<https://1.bp.blogspot.com/-qwwoxa_7EJU/W3MgMLUnqBI/AAAAAAAAx2w/Vm6kHn_yEXcCGZdP9PzpzEq1AnAL0XqkQCLcBGAs/s728-e100/microsoft-windows-update.png>)\n\nGet your update caps on. \n \nJust a few minutes ago Microsoft released its latest monthly Patch Tuesday update for August 2018, patching a total of 60 vulnerabilities, of which 19 are rated as critical. \n \nThe updates patch flaws in Microsoft Windows, Edge Browser, Internet Explorer, Office, ChakraCore, .NET Framework, Exchange Server, Microsoft SQL Server and Visual Studio. \n \nTwo of these vulnerabilities patched by the tech giant is listed as publicly known and being exploited in the wild at the time of release. \n \nAccording to the [advisory](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/ecb26425-583f-e811-a96f-000d3a33c573>) released by Microsoft, all 19 critical-rated vulnerabilities lead to remote code execution (RCE), some of which could eventually allow attackers to take control of the affected system if exploited successfully. \n \nBesides this, Microsoft has also addressed 39 important flaws, one moderate and one low in severity. \n\n\n \nHere below we have listed brief details of a few critical and publically exploited important vulnerabilities: \n \n\n\n### Internet Explorer Memory Corruption Vulnerability (CVE-2018-8373)\n\n \nThe first vulnerability under active attack is a critical remote code execution vulnerability that was revealed by Trend Micro last month and affected all supported versions of Windows. \n \nInternet Explorer 9, 10 and 11 are vulnerable to a memory corruption issue that could allow remote attackers to take control of the vulnerable systems just by convincing users to view a specially crafted website through Internet Explorer. \n \n\n\n> \"An attacker could also embed an ActiveX control marked \u2018safe for initialization\u2019 in an application or Microsoft Office document that hosts the IE rendering engine,\" Microsoft says in its advisory.\n\n \n\n\n### Windows Shell Remote Code Execution Vulnerability (CVE-2018-8414)\n\n \nThe second publicly known and actively exploited flaw resides in the Windows Shell, which originates due to improper validation of file paths. \n \nThe arbitrary code can be executed on the targeted system by convincing victims into opening a specially crafted file received via an email or a web page. \n \n\n\n### Microsoft SQL Server RCE (CVE-2018-8273)\n\n \nMicrosoft SQL Server 2016 and 2017 are vulnerable to a buffer overflow vulnerability that could be exploited remotely by an attacker to execute arbitrary code in the context of the SQL Server Database Engine service account. \n\n\n \nSuccessful exploitation of the vulnerability requires a remote attacker to submit a specially crafted query to an affected SQL server. \n \n\n\n### Windows PDF Remote Code Execution Vulnerability (CVE-2018-8350)\n\n \nWindows 10 systems with Microsoft Edge set as the default browser can be compromised merely by convincing users to view a website. \n \nDue to improper handling of the objects in the memory, Windows 10's PDF library could be exploited by a remote attacker to execute arbitrary code on the targeted system. \n\n\n> \"The attacker could also take advantage of compromised websites or websites that accept or host user-provided content or advertisements, by adding specially crafted PDF content to such sites,\" Microsoft says in its advisory.\n\n> \"Only Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website.\"\n\n \n\n\n### Microsoft Exchange Memory Corruption Vulnerability (CVE-2018-8302)\n\n \nThis vulnerability resides in the way this software handles objects in memory, allowing a remote attacker to run arbitrary code in the context of the System user just by sending a specially crafted email to the vulnerable Exchange server. \n \nThe flaw affects Microsoft Exchange Server 2010, 2013 and 2016. \n \n\n\n### Microsoft Graphics Remote Code Execution Vulnerability (CVE-2018-8344)\n\n \nMicrosoft revealed that Windows font library improperly handles specially crafted embedded fonts, which could allow attackers to take control of the affected system by serving maliciously embedded fonts via a specially crafted website and document file. \n \nThis vulnerability affects Windows 10, 8.1, and 7, and Windows Server 2016 and 2012. \n \n\n\n### LNK Remote Code Execution Vulnerability (CVE-2018-8345)\n\n \nThis vulnerability exists in .LNK shortcut file format used by Microsoft Windows 10, 8.1, 7 and Windows Server editions. \n \nAn attacker can use malicious .LNK file and an associated malicious binary to execute arbitrary code on the targeted system. Successful exploitation of this vulnerability could allow attackers to gain the same user rights on the target Windows system as the local user. \n\n\n \nAccording to the Microsoft advisory, users accounts configured with fewer user rights on the system are less impacted by this vulnerability than users who operate with administrative user rights. \n \n\n\n### GDI+ Remote Code Execution Vulnerability (CVE-2018-8397)\n\n \nThis RCE flaw resides in the way Windows Graphics Device Interface (GDI) handles objects in the memory, allowing an attacker to take control of the affected system if exploited successfully. \n\n\n> \"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\" Microsoft says in its advisory explaining the flaw.\n\n> \"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\"\n\nThe vulnerability affects Windows 7 and Windows Server 2008. \n \nBesides this, Microsoft has also pushed security updates to [patch vulnerabilities in Adobe products](<https://thehackernews.com/2018/08/adobe-patch-updates.html>), details of which you can get through a separate article posted today. \n \nUsers are strongly advised to apply security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers. \n \nFor installing security updates, directly head on to Settings \u2192 Update &amp; security \u2192 Windows Update \u2192 Check for updates, or you can install the updates manually. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "reporter": "The Hacker News", "published": "2018-08-14T18:32:00", "type": "thn", "title": "Microsoft Releases Patches for 60 Flaws\u2014Two Under Active Attack", "enchantments": {"score": {"modified": "2018-08-14T19:13:11", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "info", "cvelist": ["CVE-2018-8273", "CVE-2018-8302", "CVE-2018-8344", "CVE-2018-8345", "CVE-2018-8350", "CVE-2018-8373", "CVE-2018-8397", "CVE-2018-8414"], "_object_type": "robots.models.thn.ThnBulletin", "modified": "2018-08-14T18:36:07", "id": "THN:F033FC8698702175A4736D089C3C9D13", "href": "https://thehackernews.com/2018/08/microsoft-patch-updates.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-14T11:12:45", "_object_types": ["robots.models.base.Bulletin", "robots.models.thn.ThnBulletin"], "references": [], "description": "[![hack printers and computers using fax machine](https://1.bp.blogspot.com/-px1aB49ZelU/W3KtmnpKuRI/AAAAAAAAx2A/r4g2anXcjO0WUbYJCFIJuJPs3U1tvwTLQCLcBGAs/s728-e100/hack-printers-computers-using-fax-machine.png)](<https://1.bp.blogspot.com/-px1aB49ZelU/W3KtmnpKuRI/AAAAAAAAx2A/r4g2anXcjO0WUbYJCFIJuJPs3U1tvwTLQCLcBGAs/s728-e100/hack-printers-computers-using-fax-machine.png>)\n\nWhat maximum a remote attacker can do just by having your Fax machine number? \n \nBelieve it or not, but your fax number is literally enough for a hacker to gain complete control over the printer and possibly infiltrate the rest of the network connected to it. \n \nCheck Point researchers have revealed details of two critical remote code execution (RCE) vulnerabilities they discovered in the communication protocols used in tens of millions of fax machines globally. \n \nYou might be thinking who uses Fax these days! \n\n\n \nWell, Fax is not a thing of the past. With more than 300 million fax numbers and 45 million fax machines in use globally, Fax is still popular among several business organizations, regulators, lawyers, bankers, and real estate firms. \n \nSince most fax machines are today integrated into all-in-one printers, connected to a WiFi network and PSTN phone line, a remote attacker can simply send a specially-crafted image file via fax to exploit the reported vulnerabilities and seize control of an enterprise or home network. \n \nAll the attacker needs to exploit these vulnerabilities is a Fax number, which can be easily found simply by browsing a corporate website or requesting it directly. \n \n\n\n### Faxploit Attack \u2014 Demonstration Video\n\nDubbed **Faxploit**, the attack involves two buffer overflow vulnerabilities\u2014one triggers while parsing COM markers (CVE-2018-5925) and another stack-based issue occurs while parsing DHT markers (CVE-2018-5924), which leads to remote code execution. \n \nTo [demonstrate](<https://blog.checkpoint.com/2018/08/12/faxploit-hp-printer-fax-exploit/>) the attack, Check Point Malware Research Team Lead Yaniv Balmas and security researcher Eyal Itkin used the popular HP Officejet Pro All-in-One fax printers\u2014the HP Officejet Pro 6830 all-in-one printer and OfficeJet Pro 8720. \n \nAs shown in the above video, the researchers send an image file loaded with malicious payload through the phone line, and as soon as the fax machine receives it, the image is decoded and uploaded into the fax-printer's memory. \n\n\n \nIn their case, the researchers used NSA-developed [EternalBlue and Double Pulsar](<https://thehackernews.com/2017/04/windows-hacking-tools.html>) exploits, which was leaked by the [Shadow Brokers](<https://thehackernews.com/2017/05/shodow-brokers-wannacry-hacking.html>) group and was behind the [WannaCry ransomware](<https://thehackernews.com/2017/05/how-to-wannacry-ransomware.html>) global outcry last year, to take over the connected machine and further spread the malicious code through the network. \n \n\n\n> \"Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer,\" the researcher said in a detailed [blog post](<https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/>) published today. \n \n\"We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines.\"\n\n \nAccording to the Check Point researchers, attackers can code the image file with malware including ransomware, cryptocurrency miners, or surveillance tools, depending upon their targets of interest and motives. \n \nCheck Point researchers responsibly disclosed their findings to Hewlett Packard, which quickly fixed the flaws in its all-in-one printers and deployed firmware patches in response. A patch is available on HP's [support page](<https://support.hp.com/us-en/document/c06097712>). \n \nHowever, the researchers believe the same vulnerabilities could also impact most fax-based all-in-one printers sold by other manufacturers and other fax implementation, such as fax-to-mail services, standalone fax machines, and more.\n", "reporter": "The Hacker News", "published": "2018-08-14T10:35:00", "type": "thn", "title": "Hackers can compromise your network just by sending a Fax", "enchantments": {"score": {"modified": "2018-08-14T11:12:45", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "info", "cvelist": ["CVE-2018-5924", "CVE-2018-5925"], "_object_type": "robots.models.thn.ThnBulletin", "modified": "2018-08-14T10:35:40", "id": "THN:2F395858FFE43BF6A13B6CD08DF6F996", "href": "https://thehackernews.com/2018/08/hack-printer-fax-machine.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "xen": [{"lastseen": "2018-08-14T22:13:09", "references": [], "description": "#### ISSUE DESCRIPTION\nIn x86 nomenclature, a Terminal Fault is a pagetable walk which aborts due to the page being not present (e.g. paged out to disk), or because of reserved bits being set.\nArchitecturally, such a memory access will result in a page fault exception, but some processors will speculatively compute the physical address and issue an L1D lookup. If data resides in the L1D cache, it may be forwarded to dependent instructions, and may be leaked via a side channel.\nFurthermore: * SGX protections are not applied * EPT guest to host translations are not applied * SMM protections are not applied\nThis issue is split into multiple CVEs depending on circumstance. The CVEs which apply to Xen are: * CVE-2018-3620 - Operating Systems and SMM * CVE-2018-3646 - Hypervisors\nFor more details, see: <a href=\"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html\">https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html</a>\n#### IMPACT\nAn attacker can potentially read arbitrary host RAM. This includes data belonging to Xen, data belonging to other guests, and data belonging to different security contexts within the same guest.\nAn attacker could be a guest kernel (which can manipulate the pagetables directly), or could be guest userspace either directly (e.g. with mprotect() or similar system call) or indirectly (by gaming the guest kernel&#39;s paging subsystem).\n#### VULNERABLE SYSTEMS\nSystems running all versions of Xen are affected.\nOnly x86 processors are vulnerable. ARM processors are not known to be affected.\nOnly Intel Core based processors (from at least Merom onwards) are potentially affected. Other processor designs (Intel Atom/Knights range), and other manufacturers (AMD) are not known to be affected.\nx86 PV guests fall into the CVE-2018-3620 (OS and SMM) category. x86 HVM and PVH guests fall into the CVE-2018-3646 (Hypervisors) category.\n", "edition": 1, "reporter": "Xen Project", "published": "2018-08-14T17:15:00", "title": "L1 Terminal Fault speculative side channel", "type": "xen", "enchantments": {"score": {"modified": "2018-08-14T22:13:09", "vector": "NONE", "value": 2.1}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2018-3646", "CVE-2018-3620"], "modified": "2018-08-14T17:15:00", "id": "XSA-273", "href": "http://xenbits.xen.org/xsa/advisory-273.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-14T22:13:09", "references": [], "description": "#### ISSUE DESCRIPTION\nThe logic in oxenstored for handling writes depended on the order of evaluation of expressions making up a tuple.\nAs indicated in section 7.7.3 &quot;Operations on data structures&quot; of the OCaml manual:\n <a href=\"http://caml.inria.fr/pub/docs/manual-ocaml/expr.html\">http://caml.inria.fr/pub/docs/manual-ocaml/expr.html</a>\nthe order of evaluation of subexpressions is not specified. In practice, different implementations behave differently.\n#### IMPACT\noxenstored may not enforce the configured quota-maxentity.\nThis allows a malicious or buggy guest to write as many xenstore entries as it wishes, causing unbounded memory usage in oxenstored. This can lead to a system-wide DoS.\n#### VULNERABLE SYSTEMS\nXen 4.1 and later are potentially vulnerable.\nOnly systems using the OCaml xenstored implementation are potentially vulnerable. Systems using the C xenstored implementation are not vulnerable.\nWhether the compiled oxenstored binary is vulnerable depends on which compiler was used. OCaml can be compiled either as bytecode (with ocamlc) or as a native binary (with ocamlopt).\nThe following OCaml program demonstrates the issue, and identifies whether the resulting oxenstored binary will skip the quota enforcement.\n $ cat order.ml let check () = let flag = ref false in let update _ = flag := true; () in List.iter update [1;2;3], !flag\n let main () = let _, flag = check () in if flag then print_endline &quot;This code is not vulnerable!&quot; else print_endline &quot;This code is vulnerable!&quot;\n let () = main ()\n $ ocamlc order.ml -o order.bytecode $ ./order.bytecode This code is vulnerable! $ ocamlopt order.ml -o order.native $ ./order.native This code is not vulnerable!\nTo confirm whether an OCaml binary is bytecode or native, use file.\n $ file order.bytecode order.bytecode: a /usr/bin/ocamlrun script executable (binary data) $ file order.native order.native: ELF 64-bit LSB executable, ...\nNOTE: These results are applicable to OCaml 4.01.0-5 as distributed in Debian Jessie. These results are not representative of other versions of OCaml, or of other OS distributions.\n", "edition": 1, "reporter": "Xen Project", "published": "2018-08-14T17:00:00", "title": "oxenstored does not apply quota-maxentity", "type": "xen", "enchantments": {"score": {"modified": "2018-08-14T22:13:09", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": [], "modified": "2018-08-14T17:19:00", "id": "XSA-272", "href": "http://xenbits.xen.org/xsa/advisory-272.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "msrc": [{"lastseen": "2018-08-14T17:36:48", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to [turn on automatic updates](<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F306525%2Fhow-to-configure-and-use-automatic-updates-in-windows&data=02%7C01%7C%7Caa4cb473dd024322fd1608d6016fe185%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636697977364253057&sdata=AxcAqVk2pBNYTMcStIcmKuZU2q%2B9D1K8ZWjU0Oc9SBs%3D&reserved=0>). \n\nMore information about this month\u2019s security updates can be found on the [Security Update Guide](<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2F&data=02%7C01%7C%7Caa4cb473dd024322fd1608d6016fe185%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636697977364263065&sdata=9jwCbUuHkIuPKIwfMs33mks87XbFlDMJQYT%2B3GGxP6c%3D&reserved=0>). \n\nMSRC team", "reporter": "MSRC Team", "published": "2018-08-14T17:09:00", "type": "msrc", "title": "August 2018 Security Update Release", "enchantments": {"score": {"modified": "2018-08-14T17:36:48", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-14T17:09:00", "id": "MSRC:8E69D22CA645002035B61DD94C909786", "href": "https://blogs.technet.microsoft.com/msrc/2018/08/14/august-2018-security-update-release/", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2018-08-14T18:32:04", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "For a complete web application security program, it\u2019s important that all your web applications have some level of security testing. Automated scans using Qualys Web Application Scanning (WAS) are perfect to meet this need given its cloud-based architecture and ability to scale. However, performing manual penetration testing of your business-critical applications in addition to automated...\n\n[Source](<https://blog.qualys.com/technology/2018/08/14/introducing-a-burp-extension-for-integration-with-qualys-web-application-scanning>)", "reporter": "Dave Ferguson", "published": "2018-08-14T17:00:02", "type": "qualysblog", "title": "Introducing a Burp Extension for Integration with Qualys Web Application Scanning", "enchantments": {"score": {"modified": "2018-08-14T18:32:04", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-14T17:00:02", "id": "QUALYSBLOG:A4AD17D47D12E33781F4CEEC53ABE8D2", "href": "https://blog.qualys.com/technology/2018/08/14/introducing-a-burp-extension-for-integration-with-qualys-web-application-scanning", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisco": [{"lastseen": "2018-08-14T19:56:21", "_object_types": ["robots.models.base.Bulletin", "robots.models.cisco.CiscoBulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180814-cpusidechannel"], "description": "A\nvulnerability due to the design of modern Intel CPUs could allow a local\nattacker to access sensitive information on a targeted system.\n\nThe\nvulnerability is due to improper implementation of the\nspeculative execution of instructions by the affected microprocessors.\nThis\nvulnerability can be triggered by causing the CPU to perform a\nL1 Data Cache Terminal Fault while the Operating System performs specific actions. The issue may also be trigger while a system exits the System Management Mode. An attacker could exploit this vulnerability by executing\narbitrary code and performing a side-channel attack on the cache of the\ntargeted system. A successful exploit could allow the attacker to read\nsensitive memory information.\n\nThis vulnerability has been assigned the following CVE ID: CVE-2018-3620\n\nA\nvulnerability due to the design of modern Intel CPUs could allow a local\nattacker to access sensitive information on a targeted system.\n\nThe vulnerability is due to improper implementation of the\nspeculative execution of instructions by the affected microprocessors. This\nvulnerability can be triggered by causing the CPU to attempt to perform a L1 Data Cache Terminal Fault when exiting from an Intel SGX container. An attacker could exploit this vulnerability by executing\narbitrary code and performing a side-channel attack on the cache of the\ntargeted system. A successful exploit could allow the attacker to read\nsensitive memory information.\n\nThis vulnerability has been assigned the following CVE ID: CVE-2018-3615\n\nA vulnerability due to the design of modern Intel CPUs could allow a local attacker to access sensitive information on a targeted system.\n\nThe vulnerability is due to improper implementation of the speculative execution of instructions by the affected microprocessors. This vulnerability can be triggered by causing the CPU to perform a L1 Data Cache Terminal Fault from within a virtualized environment hosted on an affected device. An attacker could exploit this vulnerability by executing arbitrary code and performing a side-channel attack on the cache of the targeted system. A successful exploit could allow the attacker to read sensitive memory information.\n\nThis vulnerability has been assigned the following CVE ID: CVE-2018-3646\n\nOn August 14th, 2018, three vulnerabilities were disclosed by Intel and security researchers that leverage a speculative execution side-channel method referred to as L1 Terminal Fault (L1TF) that affects modern Intel microprocessors. These vulnerabilities could allow an unprivileged, local attacker, in specific circumstances, to read privileged memory belonging to other processes.\n\nThe first vulnerability, CVE-2018-3615, affects Intel SGX technology and is referred to by the researchers who discovered it as foreshadow. This vulnerability is not known to affect any Cisco devices as the Cisco devices do not utilize Intel SGX technology. Cisco Unified Computing System servers do support the usage of Intel SGX technology but may be provisioned by a customer in their environment to use Intel SGX technology.\n\nThe second vulnerability, CVE-2018-3620, and the third vulnerability, CVE-2018-3646, are referred to as L1 Terminal Fault attacks by Intel. These two vulnerabilities affect multi-core processors that leverage Intel Hyper-Threading technology supporting Operating System, System Management Mode, and Virtualized workloads. Like the previously disclosed Spectre vulnerabilities, all three new vulnerabilities leverage cache-timing attacks to infer any disclosed data.\n\nTo exploit any of these vulnerabilities, an attacker must be able to run crafted or script code on an affected device. Although the underlying CPU and operating system combination in a product or service may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code and are, therefore, not vulnerable. There is no vector from which to exploit them. Cisco products are considered potentially vulnerable only if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor.\n\nA Cisco product that may be deployed as a virtual machine or a container, even while not directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as the operating system or hypervisor, is patched against the vulnerabilities in question.\n\nAlthough Cisco cloud services are not directly affected by these vulnerabilities, the infrastructure on which they run may be impacted. See the Affected Products [\"#ap\"] section of this advisory for information about the impact of these vulnerabilities on Cisco cloud services.\n\nCisco will release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180814-cpusidechannel [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180814-cpusidechannel\"]", "reporter": "Cisco", "published": "2018-08-14T17:00:00", "type": "cisco", "title": "CPU Side-Channel Information Disclosure Vulnerabilities: August 2018", "enchantments": {"score": {"modified": "2018-08-14T19:56:21", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2018-3615", "CVE-2018-3620", "CVE-2018-3646"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-08-14T18:24:35", "id": "CISCO-SA-20180814-CPUSIDECHANNEL", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180814-cpusidechannel", "cvss": {"score": 0.0, "vector": "NONE"}}], "ciscothreats": [{"lastseen": "2018-08-14T17:08:17", "_object_types": ["robots.models.cisco.CiscoThreatBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Medium\n\nAlert ID: \n\n58687\n\nFirst Published:\n\n2018 August 14 16:44 GMT\n\nVersion: \n\n1\n\n## \n\nSummary \n\n * Cisco Security has detected significant activity related to spam email messages distributing malicious software. \n \nEmail messages that are related to this threat (RuleID33419) may contain the following files: \n \n**Name** | **Size in Bytes** | **MD5 Checksum** \n---|---|--- \nDHL DELIVERY TEAM 327545.7z / frreshserver25(1).exe \n| 440,320 \n| 0x518899EB277A142BFFBC544F309E1954 \n \n \n \nThe following text is a sample of the email message that is associated with this threat outbreak:\n\n> Subject: **DHL Express Team** \n\n\nCisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.\n\n## \n\nRevision History \n\n * Version | Description | Section | Date \n---|---|---|--- \n1 | Initial release to report significant activity detected by Cisco Security on August 13, 2018. | \u2014 | 2018-August-14 \nShow Less\n\n* * *\n\n## \n\nLegal Disclaimer \n\n * THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. \n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products \n", "reporter": "Cisco", "published": "2018-08-14T16:44:21", "type": "ciscothreats", "title": "Threat Outbreak Alert RuleID33419: Email Messages Distributing Malicious Software on August 13, 2018", "enchantments": {"score": {"modified": "2018-08-14T17:08:17", "vector": "NONE", "value": 5.0}}, "ciscoThreat": {"messageBody": null, "size": 440320, "subject": "DHL Express Team", "files": "DHL DELIVERY TEAM 327545.7z / frreshserver25(1).exe", "md5": "0x518899EB277A142BFFBC544F309E1954"}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.cisco.CiscoThreatBulletin", "modified": "2018-08-14T16:44:21", "id": "CISCO-THREAT-58687", "href": "https://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=58687", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-14T17:08:17", "_object_types": ["robots.models.cisco.CiscoThreatBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Medium\n\nAlert ID: \n\n58688\n\nFirst Published:\n\n2018 August 14 16:44 GMT\n\nVersion: \n\n1\n\n## \n\nSummary \n\n * Cisco Security has detected significant activity related to spam email messages distributing malicious software. \n \nEmail messages that are related to this threat (RuleID33418) may contain the following files: \n \n**Name** | **Size in Bytes** | **MD5 Checksum** \n---|---|--- \nDHL doc#99675435667_pdf.lz / DHL ddoc#99675435667_pdf.exe \n| 1,110,016 \n| x50244D2D5A1FAFA2642A06F4D61C2773 \n \n \n \nThe following text is a sample of the email message that is associated with this threat outbreak:\n\n> Subject: **Fwd: Your DHL Document was received at our postal office**\n\n> Message Body:\n\n> \n**Good Day, \nPlease find attached herein full details of document. \nSincerely \nDHL Team \nImage result for dhl logo \n2018 \u00a9 DHL International GmbH. All rights reserved.** \n\n\nCisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.\n\n## \n\nRevision History \n\n * Version | Description | Section | Date \n---|---|---|--- \n1 | Initial release to report significant activity detected by Cisco Security on August 13, 2018. | \u2014 | 2018-August-14 \nShow Less\n\n* * *\n\n## \n\nLegal Disclaimer \n\n * THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. \n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products \n", "reporter": "Cisco", "published": "2018-08-14T16:44:19", "type": "ciscothreats", "title": "Threat Outbreak Alert RuleID33418: Email Messages Distributing Malicious Software on August 13, 2018", "enchantments": {"score": {"modified": "2018-08-14T17:08:17", "vector": "NONE", "value": 5.0}}, "ciscoThreat": {"messageBody": "Good Day,\nPlease find attached herein full details of document.\nSincerely\nDHL Team\nImage result for dhl logo\n2018 \u00a9 DHL International GmbH. All rights reserved.", "size": 1110016, "subject": "Fwd: Your DHL Document was received at our postal office", "files": "DHL doc#99675435667_pdf.lz / DHL ddoc#99675435667_pdf.exe", "md5": "x50244D2D5A1FAFA2642A06F4D61C2773"}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.cisco.CiscoThreatBulletin", "modified": "2018-08-14T16:44:19", "id": "CISCO-THREAT-58688", "href": "https://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=58688", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-14T17:08:18", "_object_types": ["robots.models.cisco.CiscoThreatBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Medium\n\nAlert ID: \n\n58685\n\nFirst Published:\n\n2018 August 14 15:58 GMT\n\nVersion: \n\n1\n\n## \n\nSummary \n\n * Cisco Security has detected significant activity related to spam email messages distributing malicious software. \n \nEmail messages that are related to this threat (RuleID33425) may contain the following files: \n \n**Name** | **Size in Bytes** | **MD5 Checksum** \n---|---|--- \nRFQ PR1000062561881 PDF.gz / RFQ PR1000062561881 PDF.exe \n| 732,160 \n| 0xC2AFB11D5BFDD77CA06F008B844E540A \n \n \n \nThe following text is a sample of the email message that is associated with this threat outbreak:\n\n> Subject: **RFQ PR1000062561881**\n\n> Message Body:\n\n> \n**Dear Sir/Madam, \nWe are pleased to invite you to submit your quotation for material(s) and/or service(s) as per attached Request for Quotation (RFQ) and related documents (if any). The price quoted must be subjected to the delivery terms, delivery location and delivery date as specified in the document(s). \nThe closing date of this RFQ exercise is Thursday, 9th July 2018 @ close of business time. \nKindly submit your quotations to our official sales email address: \nImportant Note: \nPlease specify the RFQ reference number in your email\u2019s subject line and on your quotation. \nIf any clarification is required on the specifications of the material(s) and/or service(s) in the RFQ, or on any related matters, you may send your enquiries to the undersigned \nRegards \nProcurement Officer**\n\nCisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.\n\n## \n\nRevision History \n\n * Version | Description | Section | Date \n---|---|---|--- \n1 | Initial release to report significant activity detected by Cisco Security on August 13, 2018. | \u2014 | 2018-August-14 \nShow Less\n\n* * *\n\n## \n\nLegal Disclaimer \n\n * THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. \n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products \n", "reporter": "Cisco", "published": "2018-08-14T15:58:03", "type": "ciscothreats", "title": "Threat Outbreak Alert RuleID33425: Email Messages Distributing Malicious Software on August 13, 2018", "enchantments": {"score": {"modified": "2018-08-14T17:08:18", "vector": "NONE", "value": 5.0}}, "ciscoThreat": {"messageBody": "Dear Sir/Madam, \nWe are pleased to invite you to submit your quotation for material(s) and/or service(s) as per attached Request for Quotation (RFQ) and related documents (if any). The price quoted must be subjected to the delivery terms, delivery location and delivery date as specified in the document(s). \nThe closing date of this RFQ exercise is Thursday, 9th July 2018 @ close of business time.\nKindly submit your quotations to our official sales email address: \nImportant Note:\nPlease specify the RFQ reference number in your email\u2019s subject line and on your quotation.\nIf any clarification is required on the specifications of the material(s) and/or service(s) in the RFQ, or on any related matters, you may send your enquiries to the undersigned \nRegards\nProcurement Officer", "size": 732160, "subject": "RFQ PR1000062561881", "files": "RFQ PR1000062561881 PDF.gz / RFQ PR1000062561881 PDF.exe", "md5": "0xC2AFB11D5BFDD77CA06F008B844E540A"}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.cisco.CiscoThreatBulletin", "modified": "2018-08-14T15:58:03", "id": "CISCO-THREAT-58685", "href": "https://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=58685", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-14T17:08:18", "_object_types": ["robots.models.cisco.CiscoThreatBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Medium\n\nAlert ID: \n\n58684\n\nFirst Published:\n\n2018 August 14 15:58 GMT\n\nVersion: \n\n1\n\n## \n\nSummary \n\n * Cisco Security has detected significant activity related to spam email messages distributing malicious software. \n \nEmail messages that are related to this threat (RuleID33416) may contain the following files: \n \n**Name** | **Size in Bytes** | **MD5 Checksum** \n---|---|--- \nIMG_20180801_2455364.jpg.ace / Quotation.exe \n| 825,344 \n| 0x4CFBA0ADEBEB6EC7FC21BFD035C6E0CE \n \n \n \nThe following text is a sample of the email message that is associated with this threat outbreak:\n\n> Subject: **Request Quotation**\n\n> Message Body:\n\n> **Dear, \nWe visited your company website. Please check attached file with designs for quotation, for each design you must quote twice in two different qualities as requested. we will like to place an orders which is needed urgently. You have sample drawing references. \nPlease kindly reply and quote asap. \nBest Regards, \nCoordinador General de la Calidad** \n\n\nCisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user.\n\n## \n\nRevision History \n\n * Version | Description | Section | Date \n---|---|---|--- \n1 | Initial release to report significant activity detected by Cisco Security on August 13, 2018. | \u2014 | 2018-August-14 \nShow Less\n\n* * *\n\n## \n\nLegal Disclaimer \n\n * THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. \n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products \n", "reporter": "Cisco", "published": "2018-08-14T15:58:01", "type": "ciscothreats", "title": "Threat Outbreak Alert RuleID33416: Email Messages Distributing Malicious Software on August 13, 2018", "enchantments": {"score": {"modified": "2018-08-14T17:08:18", "vector": "NONE", "value": 5.0}}, "ciscoThreat": {"messageBody": "Dear,\nWe visited your company website. Please check attached file with designs for quotation, for each design you must quote twice in two different qualities as requested. we will like to place an orders which is needed urgently. You have sample drawing references.\nPlease kindly reply and quote asap.\nBest Regards,\nCoordinador General de la Calidad", "size": 825344, "subject": "Request Quotation", "files": "IMG_20180801_2455364.jpg.ace / Quotation.exe", "md5": "0x4CFBA0ADEBEB6EC7FC21BFD035C6E0CE"}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.cisco.CiscoThreatBulletin", "modified": "2018-08-14T15:58:01", "id": "CISCO-THREAT-58684", "href": "https://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=58684", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-14T17:08:18", "_object_types": ["robots.models.cisco.CiscoThreatBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Medium\n\nAlert ID: \n\n58686\n\nFirst Published:\n\n2018 August 14 15:57 GMT\n\nVersion: \n\n1\n\n## \n\nSummary \n\n * Cisco Security has detected significant activity related to spam email messages distributing malicious software. \n \nEmail messages that are related to this threat (RuleID33424) may contain the following files: \n \n**Name** | **Size in Bytes** | **MD5 Checksum** \n---|---|--- \nSOA&amp;PROFORMA.zip.gz / clone2.exe \n| 540,672 \n| 0xB1E70492574A2A0BA2B618A94AD6E96B \n \n \nCisco security appliances can help protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Cisco Web Security Appliances help secure and control web and email traffic by offering layers of malware protection. Cisco security appliances are automatically updated to help prevent both spam email and hostile web URLs from being passed to the end user. \n\n\n## \n\nRevision History \n\n * Version | Description | Section | Date \n---|---|---|--- \n1 | Initial release to report significant activity detected by Cisco Security on August 13, 2018. | \u2014 | 2018-August-14 \nShow Less\n\n* * *\n\n## \n\nLegal Disclaimer \n\n * THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. \n\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products \n", "reporter": "Cisco", "published": "2018-08-14T15:57:59", "type": "ciscothreats", "title": "Threat Outbreak Alert RuleID33424: Email Messages Distributing Malicious Software on August 13, 2018", "enchantments": {"score": {"modified": "2018-08-14T17:08:18", "vector": "NONE", "value": 5.0}}, "ciscoThreat": {"messageBody": null, "size": 540672, "subject": null, "files": "SOA&PROFORMA.zip.gz / clone2.exe", "md5": "0xB1E70492574A2A0BA2B618A94AD6E96B"}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.cisco.CiscoThreatBulletin", "modified": "2018-08-14T15:57:59", "id": "CISCO-THREAT-58686", "href": "https://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=58686", "cvss": {"score": 0.0, "vector": "NONE"}}], "mssecure": [{"lastseen": "2018-08-14T16:36:16", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "_Todays post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO._\n\nCustomer satisfaction is one of the most important goals for Microsoft 365 Security. In [part 1](<https://cloudblogs.microsoft.com/microsoftsecure/2018/07/17/how-microsoft-365-security-integrates-with-the-broader-security-ecosystem-part-1/>) of this series, we discussed Microsofts overall security strategy for connecting with the broader security community, and in [part 2](<https://cloudblogs.microsoft.com/microsoftsecure/2018/07/31/how-microsoft-365-security-integrates-with-your-broader-it-ecosystem-part-2/>), we looked at how Microsoft services help secure non-Microsoft services of an organizations IT environment.\n\nIn the final part of this blog series, we highlight how Microsoft 365 Security solutions work together to help customers secure their IT environments. The benefits of Microsoft 365 Security services are universal, as demonstrated by the fact that our customers are large and small, and focused on different industry verticals across the globe.\n\n### Helping enable a mobile workforce at a healthcare network\n\n[Sutter Health](<https://www.sutterhealth.org/about>) is a not-for-profit network of healthcare professionals and hospitals serving Northern California. [CTO Wes Wrights main goal](<http://customers.microsoft.com/en-us/story/sutter-health-health-provider-office-365-blog>) is to provide IT and software solutions that allow employees to maximize their time spent on patient and family care. Sutter Healths network employs nearly 52,000 people, supporting 24 acute care hospitals and care centers, serving more than 100 communities. Sutter has an ecosystem of **65,000 mobile devices** and modernizing IT was not trivial for them. They deployed [Microsoft Intune](<https://www.microsoft.com/en-us/cloud-platform/microsoft-intune>) to help manage and support an internal app store called the Sutter Intune Store. Intune also helps ensure Sutters clinical and business partners can access and use Sutter Health authorized apps from anywhere, at any time. Their Intune-powered solution is designed to:\n\n * Manage and secure any mobile device used by the workforce to access company data.\n * Manage and secure the mobile apps used by their workforce.\n * Protect company information even after it is accessed.\n * Ensure devices and apps are compliant with company security policies.\n\nWith services like Intune (Figure 1), simplifying security management and reducing IT complexity, Sutter Health can support the latest devices, embrace modern apps, leverage a distributed workforce, and deliver the highest quality patient care.\n\n![](https://cloudblogs.microsoft.com/uploads/prod/sites/13/2018/08/Microsoft-365-Security-integrates-with-your-broader-IT-ecosystem-1-1024x919.png)\n\n_Figure 1. The Intune architecture diagram._\n\n### Enhancing productivity through security at a power company\n\n[Wrtsil](<https://www.wartsila.com/>) is a Finnish company manufacturing and servicing power sources and other equipment for the marine and energy markets. [Joachim Kjellman, solutions manager at Wrtsil](<http://customers.microsoft.com/en-us/story/wartsila-power-utilities-microsoft-365>) was looking for a solution with conditional access and multifactor authentication (MFA) capabilities. He selected Azure Active Directory (Azure AD), which enables single sign-on capability for all company resources anywhere with internet access, removing the need of unreliable VPN connections. Additionally, with Conditional Access, [Wrtsil](<https://www.wartsila.com/>) can provide remote access to apps that can be secured with MFA and managed when originating from unmanaged devices.Azure AD (Figure 2) is designed to help organizations:\n\n * Provide seamless access.\n * Facilitate collaboration.\n * Unlock IT efficiencies.\n * Enhance security and compliance.\n\n![](https://cloudblogs.microsoft.com/uploads/prod/sites/13/2018/08/Microsoft-365-Security-integrates-with-your-broader-IT-ecosystem-2.png)\n\n_[Figure 2. Azure AD overview](<https://azure.microsoft.com/en-us/services/active-directory/>)._\n\nAzure AD also supports seamless collaboration (even on large-scale, complex projects) between Wrtsil and its contractors and partners. Azure AD B2B collaboration features ensure that access to shared resources is heavily protected. Azure AD has helped Wrtsil IT staffers save time and money, enabling Wrtsil to remain focused on serving their global customer base.\n\n### Securing an entire IT environment at a transportation firm\n\nThroughout this series, we have discussed how Microsoft 365 Security services integrate well with the myriad IT solutions our customers utilize. However, some of our customers chose Microsoft 365 Security services to help secure their entire environment. [HS1 Limited](<https://highspeed1.co.uk/>) operates and maintains infrastructure for the high-speed railway connecting St. Pancras International Station in London and the Channel Tunnel, joining international high-speed routes between London, Paris, and Brussels, along with several domestic routes. The 50-person firm works with hundreds of counterparts and vendors, so security and collaboration are high priorities. [Shawn Marcellin, IT and facilities manager](<https://customers.microsoft.com/en-us/story/hs1-limited-travel-transportation-microsoft-365>) at HS1 Limited needed a highly secure, collaborative solution without investing in a full datacenter and turned to [Microsoft 365 E5](<https://www.microsoft.com/en-us/microsoft-365/default.aspx>). Marcellin adopted Microsoft 365 E5 for its advanced security features, including [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp>), [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection>), and [Office 365 Threat Intelligence](<https://support.office.com/en-us/article/Office-365-Threat-Intelligence-32405da5-bee1-4a4b-82e5-8399df94c512>). Identity management through [Microsoft Azure Active Directory Premium P2](<https://www.microsoft.com/en-us/cloud-platform/azure-active-directory>) was another advantage of his choosing Microsoft 365 E5protecting data with [Microsoft Cloud App Security](<https://www.microsoft.com/en-us/cloud-platform/cloud-app-security>) and Office 365 Advanced Threat Protection. Marcellin is confident that the move to a total cloud-based, secure solution will continue to benefit HS1 Limited.\n\n![](https://cloudblogs.microsoft.com/uploads/prod/sites/13/2018/08/Microsoft-365-Security-integrates-with-your-broader-IT-ecosystem-3.png)\n\n_Figure 3. The entire Microsoft 365 Security reference architecture._\n\nTo learn more about how Microsoft security solutions fit together, read [Cybersecurity Reference Architecture: Security for a Hybrid Enterprise](<https://cloudblogs.microsoft.com/microsoftsecure/2018/06/06/cybersecurity-reference-architecture-security-for-a-hybrid-enterprise/>).\n\n### Digging deeper\n\nThese are only a few examples of organizations using Microsoft 365 Security services to secure their extended or entire IT ecosystem. We encourage you to visit the [Microsoft Secure site](<https://www.microsoft.com/en-us/security/default.aspx>) and learn more about the full scope of Microsoft 365 Security capabilities. Also, check out more [customer stories](<http://customers.microsoft.com/en-us/home?sq=&ff=&p=0>) to learn how organizations leverage Microsoft 365 Security.\n\nTo get started envisioning a plan, onboarding, and driving user adoption, go to [FastTrack.microsoft.com](<https://www.microsoft.com/en-us/fasttrack>), sign in with your subscription ID, and complete the Request for Assistance Form.\n\nThanks for reading this series. We hope you will try the services discussed in this blog to start benefitting from their capabilities, which include:\n\n * [Microsoft Intune](<https://portal.office.com/signup/logout?OfferId=40BE278A-DFD1-470a-9EF7-9F2596EA7FF9&dl=INTUNE_A&ali=1>)\n * [Azure Active Directory](<https://azure.microsoft.com/en-us/trial/get-started-active-directory/>)\n * [Office 365 Advanced Threat Protection](<https://signup.microsoft.com/signup/logout?OfferId=101bde18-5ffb-4d79-a47b-f5b2c62525b3&dl=ENTERPRISEPREMIUM&ali=1>)\n * [Windows Defender Advanced Threat Protection](<https://winatpregistration-prd.trafficmanager.net/UserAgreement?wt.mc_id=AID702266_QSG_245679&ocid=AID702266_QSG_245679>)\n * [Microsoft Cloud App Security](<https://signup.microsoft.com/Signup?OfferId=757c4c34-d589-46e4-9579-120bba5c92ed&ali=1>)", "reporter": "toddvanderark", "published": "2018-08-14T16:00:16", "type": "mssecure", "title": "How Microsoft 365 Security integrates with your broader IT ecosystem\u2014part 3", "enchantments": {"score": {"modified": "2018-08-14T16:36:16", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-14T16:00:16", "id": "MSSECURE:291D6AC7F8E7F7D716D49E3E6FB232A4", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2018/08/14/how-microsoft-365-security-integrates-with-your-broader-it-ecosystem-part-3/", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackread": [{"lastseen": "2018-08-14T19:14:52", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "By [Waqas](<https://www.hackread.com/author/hackread/>)\n\nThink twice before sharing your fax number with someone. Many corporations provide their fax number in the contact information page on the websites. After all, it is considered completely harmless to share fax number with other information like the email address or phone number. However, it turns out that the fax number is also exploitable [\u2026]\n\nThis is a post from HackRead.com Read the original post: [Faxploit: Hackers can use Fax machines to inject malware into a targeted network](<https://www.hackread.com/hackers-can-use-fax-machines-to-inject-malware-into-a-targeted-network/>)", "reporter": "Waqas", "published": "2018-08-14T14:57:51", "type": "hackread", "title": "Faxploit: Hackers can use Fax machines to inject malware into a targeted network", "enchantments": {"score": {"modified": "2018-08-14T19:14:52", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-14T14:57:51", "id": "HACKREAD:97A2FDF71CD11C689130A085F7189992", "href": "https://www.hackread.com/hackers-can-use-fax-machines-to-inject-malware-into-a-targeted-network/", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2018-08-14T15:13:31", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "![](https://blog.trendmicro.com/wp-content/uploads/2018/08/av.jpg)\n\nDespite popular opinion otherwise, the days have long since passed when Mac users can venture forth on the Internet without having to worry about viruses or ransomware, phishing attacks or dangerous URLs. Though the number of attacks on the Mac are fewer than those on Windows machines (because there are fewer Macs, of course, making less of a target for cybercriminals), antivirus protection is still advised for every Mac user\u2019s safety when browsing or shopping online or on social networks such as Facebook and Twitter.\n\nBecause that\u2019s true, wise users will be glad to hear that Trend Micro Antivirus for Mac achieved 100% antimalware protection and received a badge of **_Approved Mac Security_** in the latest **_Mac Security Test &amp; Review_** by AV Comparatives, completed in July of 2018. Among a crowd of 10 antivirus programs tested for the Mac, Trend Micro Antivirus for Mac scored 100% protection, with no false positives\u2014not only against 310 current Mac malwares, but for 1,000 Windows samples as well. That means: if your Mac is included in a house of Windows machines, you can\u2019t be a conduit for Windows malware even if you\u2019re sandwiched between two PCs as you pass your family\u2019s files back and forth.\n\nAV Comparative\u2019s tests included different phases in the process of malware detection: USB flash drive insertion, real-time detection, on-demand scanning, and malware sample execution. No malware got past Trend Micro Antivirus for Mac to infect the machine\u2014and again, no false detections occurred. Highlights of the review include examination of Folder Shield for ransomware protection; Privacy Scanner for checking your privacy on Facebook, Google Plus, Twitter, and LinkedIn; Web Threat Protection against fraud and malicious software; and the Website Filter with both pre-sets and custom settings for Parental Controls.\n\nVisit AV-Comparatives\u2019 [Mac Security Test &amp; Review 2018](<https://www.av-comparatives.org/tests/mac-security-test-review-2018/>) to download a PDF of the review.\n\nVisit [Trend Micro Antivirus for Mac](<https://www.trendmicro.com/en_us/forHome/products/antivirus-for-mac.html>) for more information, or to buy the program.\n\nThe post [AV-Comparatives: Trend Micro Antivirus for Mac Provides 100% Malware Protection for Mac Users](<https://blog.trendmicro.com/av-comparatives-trend-micro-antivirus-for-mac-provides-100-malware-protection-for-mac-users/>) appeared first on [](<https://blog.trendmicro.com>).", "reporter": "Trend Micro", "published": "2018-08-14T14:00:43", "type": "trendmicroblog", "title": "AV-Comparatives: Trend Micro Antivirus for Mac Provides 100% Malware Protection for Mac Users", "enchantments": {"score": {"modified": "2018-08-14T15:13:31", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-14T14:00:43", "id": "TRENDMICROBLOG:4EDCA65294B382EACAA5F17CCE34B115", "href": "https://blog.trendmicro.com/av-comparatives-trend-micro-antivirus-for-mac-provides-100-malware-protection-for-mac-users/", "cvss": {"score": 0.0, "vector": "NONE"}}], "carbonblack": [{"lastseen": "2018-08-14T15:12:48", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "_This week marks our final post in this series. Today we\u2019re going to step away from last week\u2019s topic, _**_getting the help you need_**_, and examine how the cloud eliminates the need to _**_manage infrastructure_**_. _\n\n* * *\n\n### **On-Prem is Complex and Costly **\n\nOn-premise solutions require a massive amount of resources and funds to maintain, and ensuring those systems remain current when updates are available is a challenge. Costly capital expenditures for servers, storage, and networks are required, all of which become obsolete quickly as new technology emerges. Whether you are in charge of executing these processes or not, you are greatly impacted by the restrictions they impose. Even when managed perfectly, these solutions are often limited in computing power, storage, and analytics, compromising your ability to fully protect your endpoints. \n\n * Managing between our traditional AV and all the other security tools my team has to manage, all the on-prem infrastructure becomes a nightmare \u2013 to maintain upgrades, to make sure you have enough storage and compute power.\n\nRyan Manni\n\nSecurity Operations Manager, Hologic\n\n \n\n### **The Cloud ****Has No Infrastructure to Manage**\n\nWhen you use a cloud-based security solution, the burden of management falls on your provider\u2014not on you. They handle the servers and storage, and you get to focus on what matters\u2014the security of your organization. If there are new capabilities that require a new buildout of infrastructure, your provider takes care of it behind the scenes, with no impact to you. With the cloud you get seamless updates to your software and hardware, turning around new capabilities faster than you ever could on-premise. And everything is configured, deployed and managed for you. Plus, a cloud solution is scalable, so you can easily add endpoints to your network as your organization grows. This makes operations on your end faster and more efficient. And since the cloud\u2019s operational expenditure (opex) model doesn\u2019t require a long-term capital investment, your finances are also easier to manage. \n\nIf you\u2019ve enjoyed reading about the 10 endpoint security problems the cloud solves, take a minute to read our eBook on the subject. And keep reading the Carbon Black blog for more insight into how Carbon Black makes advanced endpoint security easy.\n\n* * *\n\n \n\n![](/wp-content/uploads/2018/06/10-endpoint-security-problems-and-how-the-cloud-solves-them-thumb.jpg)\n\nAre you experiencing problems with your traditional AV solution? Read the eBook _10 Endpoint Security Problems - and How the Cloud Solves Them_ to learn how moving to a cloud-based solution can set you on the right path.\n\nRead Now\n\n* * *\n\nThe post [10 Endpoint Security Problems Solved by the Cloud - Managing Infrastructure](<https://www.carbonblack.com/2018/08/14/10-endpoint-security-problems-solved-by-the-cloud-managing-infrastructure/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "reporter": "Katie DeMatteis", "published": "2018-08-14T12:00:18", "type": "carbonblack", "title": "10 Endpoint Security Problems Solved by the Cloud \u2013 Managing Infrastructure", "enchantments": {"score": {"modified": "2018-08-14T15:12:48", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-14T12:00:18", "id": "CARBONBLACK:AFCEAA3D1F58F45112876DD8A9363896", "href": "https://www.carbonblack.com/2018/08/14/10-endpoint-security-problems-solved-by-the-cloud-managing-infrastructure/", "cvss": {"score": 0.0, "vector": "NONE"}}], "schneier": [{"lastseen": "2018-08-14T20:32:04", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Google is tracking you, even if you [turn off tracking](<https://apnews.com/f60bc112665b458cb6473d7ee9492932>):\n\n> Google says that will prevent the company from remembering where you've been. Google's [support page on the subject](<https://support.google.com/accounts/answer/3118687?hl=en>) states: \"You can turn off Location History at any time. With Location History off, the places you go are no longer stored.\" \n> \n> That isn't true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking.\n> \n> For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are. And some searches that have nothing to do with location, like \"chocolate chip cookies,\" or \"kids science kits,\" pinpoint your precise latitude and longitude \u00ad- accurate to the square foot -\u00ad and save it to your Google account.\n\nOn the one hand, this isn't surprising to technologists. Lots of applications use location data. On the other hand, it's very surprising -- and counterintuitive -- to everyone else. And that's why this is a problem.\n\nI don't think we should pick on Google too much, though. Google is a symptom of the bigger problem: [surveillance capitalism](<http://www.shoshanazuboff.com/new/recent-publications-and-interviews/big-other-surveillance-capitalism-and-the-prospects-of-an-information-civilization/>) in general. As long as surveillance is the business model of the Internet, things like this are inevitable.\n\nBoingBoing [story](<https://boingboing.net/2018/08/13/ap-and-princeton-university-g.html>).\n\nGood [commentary](<https://www.theguardian.com/commentisfree/2018/aug/14/googles-snooping-proves-big-tech-will-not-change-unless-governments-step-in>).", "reporter": "Bruce Schneier", "published": "2018-08-14T11:22:56", "type": "schneier", "title": "Google Tracks its Users Even if They Opt-Out of Tracking", "enchantments": {"score": {"modified": "2018-08-14T20:32:04", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-14T14:35:23", "id": "SCHNEIER:E07277879481FF88808E90BCE50E65EB", "href": "https://www.schneier.com/blog/archives/2018/08/google_tracks_i.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2018-08-14T10:31:27", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/08075241/quarter_spam.jpg)\n\n## Quarterly highlights\n\n### GDPR as a phishing opportunity\n\nIn the first quarter, we discussed spam designed to exploit GDPR (General Data Protection Regulation), which came into effect on May 25, 2018. Back then spam traffic was limited to invitations to participate in workshops and other educational events and purchase software or databases. We predicted that fraudulent emails were soon to follow. And we found them in the second quarter.\n\nAs required by the regulation, companies notified email recipients that they were switching to a new GDPR-compliant policy and asked them to confirm permission to store and process personal information. This was what criminals took advantage of. To gain access to the personal information of well-known companies' customers, criminals sent out phishing emails referencing the GDPR and asking recipients to update their account information. To do this, customers had to click on the link provided and enter the requested data, which immediately fell into the hands of the criminals. It must be noted that the attackers were targeting customers of financial organizations and IT service providers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122429/180810-spam-report-q2-18-1.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122429/180810-spam-report-q2-18-1.png>)\n\n_Phishing emails exploiting GDPR_\n\n### Malicious IQY attachments\n\nIn the second quarter, we uncovered several malspam incidents with never-before-seen IQY (Microsoft Excel Web Query) attachments. Attackers disguise these files as invoices, order forms, document copies, etc., which is a known ploy that is still actively used for malspamming. The From field contains addresses that look like personal emails, and names of attachments are generated in accordance with the following template: the name of the attachment, and then either a date or a random number sequence.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122440/180810-spam-report-q2-18-2.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122440/180810-spam-report-q2-18-2.png>)\n\n_Harmful .iqy files_\n\nWhen the victim opens the IQY file, the computer downloads several trojan-downloaders, which install the Flawed Ammyy RAT backdoor. The infection chain may look like this: Trojan-Downloader.MSExcel.Agent downloads another downloader from the same family, which, in turn, downloads Trojan-Downloader.PowerShell.Agent, then this trojan downloads Trojan-Downloader.Win32.Dapato, which finally installs the actual Backdoor.Win32.RA-based.hf (also known as Flawed Ammyy RAT) used to gain remote access to the victim's computer, steal files and personal information, and send spam.\n\nIt is rather difficult to detect these attachments because these files look like ordinary text documents which transfer web-inquiry data transfer parameters from remote sources to Excel spreadsheets. IQY files can also be a very dangerous tool in the hands of criminals because their structure is no different from the structure of legitimate files, yet they can be used to download any data at all.\n\nIt must be noted that malspam with IQY attachments is distributed via the largest botnet called Necurs. As a reminder, this is the botnet responsible for malspam (ransomware, macro-viruses, etc.), as well as pump-and-dump and dating spam. The botnet's operation is characterized by periods of spiking and idling while infection and filter evasion mechanisms become ever more sophisticated.\n\n### Data leaks\n\nThe wave of confidential information leaks we discussed in the previous quarter is still on the rise. Here are some of the most notable events of the quarter:\n\n * Hacking and theft of personal information of 27M Ticketfly customers;\n * 92M MyHeritage genealogy service users' personal information was discovered on a public server;\n * 340M individual records were lost by Exactis, a marketing company;\n * An unprotected Amazon server allowed access to the personal information of 48M Facebook, LinkedIn, Twitter, and Zillow users.\n\nAs a result of such leaks, cybercriminals get a hold of users' names, email addresses, phone numbers, dates of birth, credit card numbers, and personal preferences. This information may later be used to launch targeted phishing attacks, which are the most dangerous type of phishing.\n\n### Cryptocurrency\n\nIn the second quarter, our antiphishing system prevented 58,000 user attempts to connect to phishing websites masquerading as popular cryptocurrency wallets and markets. In addition to classic phishing, which aims at gaining access to the victim's accounts and private key information, cybercriminals try every way to entice a victim to willingly send them cryptocurrency. One of the examples of this are cryptocoin giveaways. Cybercriminals continue using the names of new ICO projects to collect money from potential investors that are trying to gain early access to new tokens. Sometimes phishing sites pop up before official project sites.\n\nEthereum (ETH) is currently the most popular cryptocurrency with phishers. The popularity of Ethereum with cybercriminals increases as more funds are attracted by [ICOs on the Ethereum platform](<https://www.kaspersky.ru/blog/ethereum-ico/19025/>). According to our very rough estimate (based on data received from over a thousand ETH wallets used by malefactors), over the Q2 2018, cybercriminals exploiting ICOs [managed to make](<https://securelist.com/in-cryptoland-trust-can-be-costly/86367/>) $2,329,317 (end-of-July-2018 exchange rate), traditional phishing not included.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122449/180810-spam-report-q2-18-3.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122449/180810-spam-report-q2-18-3.png>)\n\n_Fake ICO project pages: the first is located on fantom.pub and imitates fantom.foundation, the real site of the FANTOM project; the second one, found on sparkster.be, is an imitation of sparkster.me, the original SPARKSTER site_\n\n### World Cup 2018\n\nCybercriminals from all over the world prepared for the World Cup as much as its organizers and soccer fans. The World Cup was used in many traditional scamming methods using social engineering. Cybercriminals created fake championship partner websites to gain access to victims' bank and other accounts, carried out targeted attacks, and created [bogus fifa.com account sign-in pages](<https://securelist.ru/2018-fraud-world-cup/90108/>).\n\n### HTTPS\n\n[As mentioned in the 2017 report](<https://securelist.com/spam-and-phishing-in-2017/83833/#phishing-pages-migrate-to-https>), more and more phishing pages are now found on [certified](<https://encyclopedia.kaspersky.ru/glossary/digital-certificates/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) domains. Those may include hacked or specially registered domains that cybercriminals use to store their content. This has to do with the fact that most of the Internet is switching to HTTPS and it has become easy to get a simple certificate. In the middle of the second quarter, this prompted Google to [announce future efforts](<https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html>) aimed at changing the way Chrome works with certificates. Starting in September 2018, the browser (Chrome 69) will stop marking HTTPS sites as \"Secure\" in the URL bar. Instead, starting in October 2018, Chrome will start displaying the \"Not secure\" label when users enter data on unencrypted sites. \n\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10123710/180810-spam-report-q2-18-3-5.gif)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10123710/180810-spam-report-q2-18-3-5.gif>)\n\n_When Chrome 70 comes out in October 2018, a red \"Not secure\" marker will be displayed for all HTTP sites where users enter data._\n\nGoogle believes that this will make more sites use encryption. After all, users should expect the web to be safe by default and receive warnings only in the event of any issues.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122456/180810-spam-report-q2-18-4.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122456/180810-spam-report-q2-18-4.png>)\n\n_An example of a certified phishing website marked as \"Secure\"._\n\nAt the moment, the green Secure message in the URL bar is rather misleading for a user, especially when they visit a phishing website.\n\n### Vacation season\n\nIn anticipation of the vacation season, cybercriminals have used all of the possible topics that may interest travelers, [from airplane ticket purchases to hotel bookings](<https://www.kaspersky.com/blog/protect-your-vacation/22352>). For instance, we've found many websites that offer very tempting accommodations at absurd prices (e.g., an entire four-bedroom house in Prague with a pool and a fireplace at $1,000 a month). Such websites pose as Amazon, TripAdvisor, and other sites popular among travelers.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122505/180810-spam-report-q2-18-5.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122505/180810-spam-report-q2-18-5.png>)\n\n_An example of a fake hotel booking website_\n\nA similar method is used to fake ticket aggregator websites. In these cases, the displayed flight information is real, but the tickets turn out to be fake.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122513/180810-spam-report-q2-18-6.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122513/180810-spam-report-q2-18-6.png>)\n\n_An example of fake airline ticket websites_\n\n## Distribution channels\n\nIn our reports, we regularly point out you that phishing and other spam has gone way beyond email a long time ago. Attackers use every means of communication at their disposal and even recruit unsuspecting users themselves for malware distribution. In this quarter, most large-scale attacks were found in messengers and on social networks.\n\n### WhatsApp\n\nCybercriminals have been using WhatsApp more frequently to distribute their content lately. WhatsApp users copy and resend spam messages themselves, just like they used to do with luck chain letters many years ago. Most of these messages contain information about fictional lotteries or giveaways (we have already discussed these types of scams many times). Last quarter, cybercriminals brought back the airplane ticket giveaways. This quarter in Russia, for instance, they used names of [popular retailers](<https://www.kaspersky.ru/blog/coupon-scam/20830>) such as Pyaterochka and Leroy Merlin, and also McDonald's. Some fake messages come from popular sportswear brands, as well as certain stores and coffee shops.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122520/180810-spam-report-q2-18-6-5.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122520/180810-spam-report-q2-18-6-5.jpg>)\n\n_Users share messages about ticket raffles with their contacts via a messenger since it's one of the conditions for winning_\n\nOnce a user has sent the message to some friends, he or she is redirected to another resource, the content of which changes depending on the victim's location and device. If the user visits the site from their smartphone, most often they are automatically subscribed to paid services. The user may also be redirected to a page containing a survey or a lottery or to some other malicious website. For instance, a user may be invited to install a browser extension which will later intercept the data they enter on other websites and use their name to do other things online, such as publish posts on social media.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122527/180810-spam-report-q2-18-7.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122527/180810-spam-report-q2-18-7.png>)\n\n_An example of a page which a user is redirected to after a survey, at the end of which they were promised a coupon to be used in a popular retail chain. As you can see, no coupon has been received, but the user is invited to install a browser extension with suspicious permissions._\n\n### Twitter and Instagram\n\nCybercriminals have been using Twitter to distribute fraudulent content for a long time. However, it has recently become a breeding ground for fake celebrity and company accounts.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122533/180810-spam-report-q2-18-8.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122533/180810-spam-report-q2-18-8.png>)\n\n_Fake account for Pavel Durov_\n\nThe most popular cover used by cybercriminals is cryptocurrency giveaways on behalf of celebrities. The user is asked to transfer a small amount of cryptocurrency to a certain wallet to get double or triple coins back. To enhance trust, the wallet may be located on a separate website, which also contains a list of fake transactions that the victim can see \"updating\" in real time, which confirms that any person who transfers money to the fake wallet gets back several times the amount transferred. Of course, the victim does not receive anything. Despite the simplicity of this scheme, it makes cybercriminals millions of dollars. This quarter, cybercriminals favoured the names of Elon Musk, Pavel Durov, and Vitalik Buterin in their schemes. These names were chosen for a reason \u2014 Elon Musk is an entrepreneur, inventor, and investor, while Durov and Buterin made it to the cryptocurrency market leader list [published by Fortune](<http://fortune.com/the-ledger-40-under-40>).\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122541/180810-spam-report-q2-18-9.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122541/180810-spam-report-q2-18-9.png>)\n\n_An example of a website advertised on Elon Musk's fake account_\n\nNews sensations make these schemes even more effective. For instance, the shutdown of the Telegram messenger generated a wave of fake messages from \"Pavel Durov\" promising compensation. In this case cybercriminals use similarly-spelled account names. For example, if the original account name contains an underscore, cybercriminals register a new user with two underscores in the name and publish messages about cryptocurrency giveaways in comments to the celebrities' authentic Twitter posts. As a result, even a detail-oriented person may have a hard time spotting the fake.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122549/180810-spam-report-q2-18-10.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122549/180810-spam-report-q2-18-10.png>)\n\nTwitter administration promised to stop this type of fraud a long time ago. One of their first steps involved blocking accounts that tried to change the user's name to Elon Musk, and most probably other names commonly used by cybercriminals as well. However, it is easy to keep the account from being blocked by entering a Captcha and a code sent via text, after which the user can keep Elon's name or change it to anything they want\u2014 the account will not be blocked again. It is also unclear whether Twitter will block the obfuscated names of famous people that are often exploited by cybercriminals.\n\nAnother measure taken by the social network is blocking accounts that post links to Elon Musk's account. Just like in the previous example, the account can be unblocked by entering a Captcha and confirming a phone number via a code received in a text message.\n\nThis scam has started spreading to other platforms as well. Fake accounts can also be found on Instagram.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10124414/180810-spam-report-q2-18-10-5.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10124414/180810-spam-report-q2-18-10-5.jpg>)\n\n_Vitalik Buterin's fake Instagram account_\n\n### Facebook\n\nOn Facebook, in addition to the aforementioned content distribution through viral threads, cybercriminals often use the advertising mechanisms offered by the social network. We have recorded instances of get-rich-quick schemes being spread through Facebook ads.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122556/180810-spam-report-q2-18-11.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122556/180810-spam-report-q2-18-11.png>)\n\n_Fraudulent website ad on Facebook_\n\nAfter clicking on the ad, the user is redirected to a website where, after completing a few steps, they are offered a reward. To receive this reward, the user must either pay a fee, enter their credit card information, or share some personal details. Of course, the user does not receive any reward in the end.\n\n### Search results\n\nAds with malicious content and links to phishing sites can be found not only on social networks, but also in the search results pages of major search engines. This has recently become a popular method of advertising fake ICO project websites.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122602/180810-spam-report-q2-18-12.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122602/180810-spam-report-q2-18-12.png>)\n\n_Users do not always notice the \"Ad\" label next to the ads_\n\n## Spammer tricks\n\nLast quarter, spammers tried to use the following new tricks to evade filters.\n\n### Double email headers\n\nWhen generating spam emails, spammers use two From fields in the email header. The first From field contained a legitimate address, usually one from a well-known organization (whose reputation is untarnished by spam scandals) while the second contained the actual spammer email address, which has nothing to do with the first one. Spammers were expecting the email to be treated as legitimate by filters, forgetting that modern anti-spam solutions rely not only on the technical part of the email, but also on its content.\n\n### Subscription forms\n\nIn these events, spam messages in the form of an automatic mailing list subscription confirmations arrive in recipient inboxes. Regular websites capable of unlimited user registration were employed to create them (especially when they allowed using the same email address multiple times). Spammers used a script that auto-filled subscription forms inserting recipient addresses from previously collected (or purchased) databases. Spam content was a short phrase with a link to a spam resource inserted into one of the mandatory fields in the form (in particular, the recipient name). As a result, the user received a notification sent from a legitimate mail address containing a spam link instead of their name.\n\n[![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122609/180810-spam-report-q2-18-13.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122609/180810-spam-report-q2-18-13.png>)\n\n_An example of spam mail sent using the subscription service on a legal site_\n\n## Statistics: spam\n\n### Proportion of spam in email traffic\n\nProportion of spam in global email traffic, Q1 and Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122615/180810-spam-report-q2-18-14.png>)\n\nIn the Q2 2018, the largest percentage of spam was recorded in May at 50.65%. The average percentage of spam in world mail traffic is 49.66%, which was 2.16 p.p. lower than the previous reporting period.\n\n### Sources of spam by country\n\nSpam -originating countries, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122622/180810-spam-report-q2-18-15.png>)\n\nThe leading spam-originating country in Q2 2018 was Vietnam (3.98%), which fell to seventh place in the second quarter, replaced by China (14.36%). The second and third places, the USA in Germany, are only one percentage point apart, with 12.11% and 11.12% shares, respectively. France occupied the fourth place (4.42%), and the fifth was occupied by Russia (4.34%). Great Britain occupied the tenth place (2.43%).\n\n### Spam email size\n\nSpam email size, Q1 and Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122628/180810-spam-report-q2-18-16.png>)\n\nThe results of the Q2 2018 indicate that the share of very small spam messages (up to 2 KB) fell 2.45 p.p. to 79.17%. The percentage of 5-10 KB spam messages, on the other hand, grew somewhat (by 1.45 p.p.) in comparison with the previous quarter and amounted to 5.56%.\n\nThe percentage of 10-20 KB spam messages was practically unchanged \u2014 it went down by 0.93 p.p. to 3.68%. 20-50 KB spam messages saw a similar trend, their share decreasing by 0.4 p.p. (to 2.68%) in comparison with the previous reporting period.\n\n### Malicious attachments: malware families\n\nTop 10 malware families, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122634/180810-spam-report-q2-18-17.png>)\n\nAccording to the results of the Q2 2018, the most widely-distributed family of malware by-mail was Exploit.Win32.CVE-2017-11882 (with 10.35%)/ This is the verdict attributed to various malware that exploited the CVE-2017-11882 vulnerability in Microsoft Word. The amount of mail with the Trojan-PSW.Win32.Fareit malware family in it, which steals user information and passwords, decreased during the second quarter, losing the first place and now occupying the second place (with 5.90%). The third and fourth places are occupied by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%). The Worm.Win32.WBVB family was the fifth most popular malware with cybercriminals.\n\n### Countries targeted by malicious mailshots\n\nDistribution of Mail Anti-Virus triggers by country, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122641/180810-spam-report-q2-18-18.png>)\n\nThe first, second, and third places among the countries with the highest quantity of Mail Anti-Virus triggers in Q2 2018 were unchanged. Germany remained in the first place (9.54%), and the second and third places were taken by Russia and Great Britain (8.78% and 8.67%, respectively). The fourth and fifth places were taken by Brazil (7.07%) and Italy (5.39%).\n\n## Statistics: phishing\n\nIn the Q2 2018, the Antiphishing prevented **107,785,069** attempts to connect users to malicious websites. 9.6% of all Kaspersky Lab users around the world were subject to attack.\n\n### Geography of attacks\n\nThe country with the highest percentage of users attacked by phishing in Q2 2018 was again Brazil, with 15.51% (-3.56 p.p.).\n\nGeography of phishing attacks, Q2 2018 [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122648/180810-spam-report-q2-18-19.png>)\n\n**Country** | **%*** \n---|--- \nBrazil | 15.51 \nChina | 14.77 \nGeorgia | 14.44 \nKyrgyzstan | 13.60 \nRussia | 13.27 \nVenezuela | 13.26 \nMacao | 12.84 \nPortugal | 12.59 \nBelarus | 12.29 \nSouth Korea | 11.66 \n \n_* Percentage of users whose Antiphishing system triggered against all Kaspersky Lab users in the respective country._\n\n### Organizations under attack\n\n_The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab's heuristic Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat._[/caption] \n\nIn Q2 2018, the Global Internet Portals category again took first place with 25.00% (+1.3 p.p.).\n\n_Distribution of organizations affected by phishing attacks by category, Q2 2018._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/10122656/180810-spam-report-q2-18-20.png>)\n\nThe percentage of attacks on organizations that may be combined into a general Finance category (banks, at 21.10%, online stores, at 8.17%, and payment systems, at 6.43%) fell to 35.70% (-8.22 p.p.). IT companies in the second quarter were more often subject to threats then in the first quarter. This category saw an increase of 12.28 p.p. to 13.83%.\n\n## Conclusion\n\nAverage spam volume of 49.66% in world mail traffic in this quarter fell 2.16 p.p. in comparison with the previous reporting period, and the Antiphishing system prevented more than 107M attempts to connect users to phishing sites, which is 17M more than in the first quarter of 2018.\n\nIn this quarter, malefactors actively used GDPR, World Cup, and cryptocurrency themes, and links to malicious websites could be found on social networks and messengers (users were often distributing them themselves), as well as in marketing messages served by large search engines.\n\nExploit.Win32.CVE-2017-11882 was the most widely-distributed family of malware via mail, at 10.35%. Trojan-PSW.Win32.Fareit fell from the first place to the second place (5.90%), and the third and fourth places were taken by Backdoor.Win32.Androm (5.71%) and Backdoor.Java.QRat (3.80%).", "reporter": "Maria Vergelis", "published": "2018-08-14T10:00:36", "type": "securelist", "title": "Spam and phishing in Q2 2018", "enchantments": {"score": {"modified": "2018-08-14T10:31:27", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "blog", "cvelist": ["CVE-2017-11882"], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-08-14T10:00:36", "id": "SECURELIST:03923D895F0F0B7EB3A51F48002D1416", "href": "https://securelist.com/spam-and-phishing-in-q2-2018/87368/", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}}